Database Reference
In-Depth Information
It was tempting to give write access to All Authenticated Users so that
anyone could stream data directly to the logs tables, but that would mean
that anyone could write anything they want to our tables and we'd end
up paying for it. It also means that anyone could falsify the data; for our
purposes that isn't important, but in many others, it would be a serious risk.
Instead, we have a service account write updates on behalf of our streaming
users; the logs are written to by a different service account than is used for
give that account write access.
Figure 4.7
has the sharing setup for the
logs
dataset.
Figure 4.7
Sharing setup for logs dataset
The
backups
dataset is locked down even more; it is only writable by
project owners. The
reference
and
dashboard
datasets are considered
less sensitive, so they have default access left in place. They will be read
and written by service accounts (via the AppEngine app), but those service
accounts are members of the project, so we don't need to set any special ACL
entries.
